问题描述
BackGround :用户一旦登录到我们的Web应用程序(使用应用程序级别凭据),将与他们想要使用的邮件系统一起显示给该用户,该系统将被重定向到相应的授权服务器,以进行身份验证(使用其邮件系统的登录名/密码),然后身份验证服务器将返回访问令牌.
BackGround : User once logged in to the our Web Application (using App level credential) will be presented with with Mail System they want to use based on that user will be redirected to respective authorization server to authenticate (using login / password of their mail system) and the auth server will return an access token back.
在通知事件中,例如OnAuthorizationCodeReceivedAsync或OnAuthenticationFailedAsync;我们没有得到 ASP.NET_SessionId ,因此,我无法使用OAuth Flow之前设置的任何会话值.
In Notification events like OnAuthorizationCodeReceivedAsync or OnAuthenticationFailedAsync; we are not getting ASP.NET_SessionId so having said that i am not able to use any of the session values which are set before OAuth Flow.
有关更多详细信息,请参见下面的代码.
Refer below Code for more details.
app.UseOpenIdConnectAuthentication(New OpenIdConnectAuthenticationOptions With {
.ClientId = appId,
.ClientSecret = appSecret,
.Authority = "https://login.microsoftonline.com/common/v2.0",
.Scope = $"openid email profile offline_access {ewsScopes}",
.RedirectUri = redirectUri,
.PostLogoutRedirectUri = redirectUri,
.TokenValidationParameters = New TokenValidationParameters With {
.ValidateIssuer = False
},
.Notifications = New OpenIdConnectAuthenticationNotifications With {
.AuthenticationFailed = AddressOf OnAuthenticationFailedAsync,
.AuthorizationCodeReceived = AddressOf OnAuthorizationCodeReceivedAsync
}
})
我无法在HttpConext.Current.Session中获得任何在OAuth流通知事件之前设置的会话值.
I am not able to get any session values in HttpConext.Current.Session which are set before OAuth flow in notification events.
按照下面的SO;我尝试了其他方法,例如SystemWebCookieManager,UseKentorOwinCookieSaver,但问题未解决.
ASP.NET_SessionId + OWIN Cookies不会发送到浏览器
As per below SO; i tried different approaches like SystemWebCookieManager, UseKentorOwinCookieSaver but issue not resolved.
ASP.NET_SessionId + OWIN Cookies do not send to browser
可能是问题所在,我该如何解决?
What could be the issue and how can I resolve it?
推荐答案
ByDefault; OpenIDConnect使用与SameSite不兼容的表单发布重定向.由于该应用程序会话cookie没有发送过来,因此应该如此.
ByDefault; OpenIDConnect uses form post redirects which are incompatible with SameSite. Due to that Application Session cookie not sent over and that is how it should be.
按照下面的几个Stack溢出链接;使用URL重写或在web.config下使用URL重写可以使我们在将响应回发到回调URL时保持会话状态,但是我们仍然需要使用Owin的SystemWebCookieManager才能正常工作.
As per couple of Stack overflow link below; using either URL rewrite or below web.config allows us to maintain session when response is posted back to Callback url but we still need to use Owin's SystemWebCookieManager for that in order to work.
浏览器将赢得胜利在付款网关向我们网站的发布请求中设置ASP.NET_SessionId cookie
如何将SameSite属性添加到我的ASP .net_SessionID cookie是自动生成的吗?
考虑以上情况;用于OpenIDConnect身份验证;将samesite cookie设置为none并确保安全;应该可以,但是我担心这会增加CSRF(跨站点请求伪造)应用程序的漏洞.
Considering above scenario; for OpenIDConnect Authentication; setting samesite cookie to none and secure; that should work but i afraid that would raise CSRF (Cross site request Forgery) vulnerability for application.
因此,另一种选择是切换到使用HTTP重定向并与SameSite = Lax一起使用的Code响应类型.设置适当的代码响应模式和响应类型.
Hence, An alternative is to switch to the Code response type which uses HTTP redirects and works with SameSite=Lax. Set the appropriate code response mode and response type.
ResponseMode = OpenIdConnectResponseMode.Query;
ResponseMode = OpenIdConnectResponseMode.Query;
ResponseType = OpenIdConnectResponseType.Code;
ResponseType = OpenIdConnectResponseType.Code;
这篇关于在OWIN OpenIdConnectAuthentication中找不到ASP.NET_SessionId的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!